package com.sxj.corejava.code12_jdbc;

import java.sql.*;
import java.util.ArrayList;
import java.util.List;

/**
 * @author 石小俊
 * @date 2024年07月01日 8:40
 */
public class Test02_SQL注入 {

    public static void main(String[] args) {
//        List<User> users = selectByUsernameAndPassword("admin","123456");
//        List<User> users = selectByUsernameAndPassword("1' or '1' = '1","1' or '1' = '1");
//        List<User> users = selectByUsernameAndPassword2("admin","123456");
        List<User> users = selectByUsernameAndPassword2("1' or '1' = '1", "1' or '1' = '1");
        if (users.isEmpty()) {
            System.out.println("错误:您输入的用户名或密码有误!");
        } else {
            System.out.println("提示:恭喜您,登录成功!");
            for (User user : users) {
                System.out.println(user);
            }
        }
    }

    public static List<User> selectByUsernameAndPassword(String username, String password) {
        Connection conn = null;
        Statement st = null;
        ResultSet rs = null;
        List<User> users = new ArrayList<>();
        try {
            Class.forName("com.mysql.jdbc.Driver");
            conn = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/jdbc?useUnicode=true&characterEncoding=utf-8", "root", "");
            st = conn.createStatement();
            String sql = "select id,username,password,phone,address from t_user where username = '" + username + "' and password = '" + password + "'";
            rs = st.executeQuery(sql);
            while (rs.next()) {
                User user = new User();
                user.setId(rs.getInt("id"));
                user.setUsername(rs.getString("username"));
                user.setPassword(rs.getString("password"));
                user.setPhone(rs.getString("phone"));
                user.setAddress(rs.getString("address"));
                users.add(user);
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
        return users;
    }

    public static List<User> selectByUsernameAndPassword2(String username, String password) {
        Connection conn = null;
        PreparedStatement ps = null;
        ResultSet rs = null;
        List<User> users = new ArrayList<>();
        try {
            Class.forName("com.mysql.jdbc.Driver");
            conn = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/jdbc?useUnicode=true&characterEncoding=utf-8", "root", "");

            // 先准备sql
            // String sql = "select id,username,password,phone,address from t_user where username = ? and password = ?";
            String sql = new StringBuffer()
                    .append(" select id,username,password,phone,address ")
                    .append(" from t_user ")
                    .append(" where username = ? ")
                    .append(" and password = ? ")
                    .toString();

            // 获取状态集
            ps = conn.prepareStatement(sql);
            // 在预编译的时候需要处理?
            // 因此,获取状态集之后,通过状态集设置?所对应的参数的值
            // ps.setXxx(index,value):设置指定类型xxx的参数
            // index:表示第几个?,起始值为1
            // value:表示参数的值
            ps.setString(1, username);
            ps.setString(2, password);

            rs = ps.executeQuery();
            while (rs.next()) {
                User user = new User();
                user.setId(rs.getInt("id"));
                user.setUsername(rs.getString("username"));
                user.setPassword(rs.getString("password"));
                user.setPhone(rs.getString("phone"));
                user.setAddress(rs.getString("address"));
                users.add(user);
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        } catch (SQLException e) {
            e.printStackTrace();
        }
        return users;
    }

}
